Did you stay at a Marriott or Starwood hotel between 2014 and 2018?

~339M guest records exposed in the Starwood reservation database (initially estimated 500M, later revised)

2014 to 2018 years the Starwood reservation database was compromised

5M+ unencrypted passport numbers exposed

MDL 2879 civil class action consolidated in the District of Maryland

Why this is real and why it matters now

Marriott acquired Starwood in 2016 and inherited a compromised reservation database that had been breached since 2014. The exposure included passport numbers (5 million unencrypted), payment cards, addresses, and birth dates of approximately 500 million guests. The FTC reached a consent decree; civil class actions and individual reimbursements are ongoing.

Marriott disclosed in November 2018 that the Starwood guest reservation database had been compromised since 2014, exposing data of about 339 million guests (the initial 500M estimate was later revised downward). Exposed data included payment-card information, addresses, dates of birth, and more than 5 million unencrypted passport numbers across Marriott, Starwood, Sheraton, Westin, W Hotels, St. Regis, and Le Méridien properties.

Civil cases were consolidated as MDL 2879 in the District of Maryland and settled in late 2024 with free credit monitoring, identity restoration, and reimbursement of documented out-of-pocket losses (including passport replacement). The Federal Trade Commission separately reached a consent order in October 2024 requiring data-deletion mechanisms and security improvements; the FTC order does not include monetary payments to consumers.

What you might receive. documented identity-theft losses can be reimbursed up to $5,000; $67/hour for time spent remedying the breach; free credit monitoring; passport-replacement reimbursement.

The evidence

What was exposed, where the cases stand, and what consumers can claim:

Starwood reservation database compromised since 2014 Hackers maintained access from approximately 2014 through 2018, exposing data of about 339 million guests across Marriott-family brands (Starwood, Sheraton, Westin, W Hotels, St. Regis, Le Méridien). Marriott Disclosure (Nov 2018), SEC Filings
5+ million unencrypted passport numbers exposed Beyond standard PII, the breach exposed millions of passport numbers in unencrypted form, plus payment-card data and loyalty-program details. Marriott Investigation Report
Civil class action settled in MDL 2879 (D. Maryland) Cases consolidated as MDL 2879 in the District of Maryland. Settlement provides free credit monitoring, identity restoration, and reimbursement of documented out-of-pocket losses (including passport replacement). Settlement Notice, MDL 2879
FTC consent order in Oct 2024 Separate from the civil settlement, the FTC reached a consent order requiring Marriott to improve security and offer U.S. consumers a way to request data deletion. The FTC order does not include monetary payments to consumers. FTC press releases (Oct 2024)

How this case got here

2014 Attackers compromise the Starwood reservation database.
Sept 2016 Marriott acquires Starwood, inheriting the still-undetected compromise.
Nov 2018 Marriott discloses the breach publicly.
2019 Multiple class actions are consolidated as MDL 2879 in the District of Maryland.
Oct 2024 FTC announces a consent order with Marriott (security and data-deletion requirements).
Late 2024 MDL 2879 civil class action settles with credit monitoring and documented-loss reimbursement.

Where the Marriott / Starwood settlement stands now

Nov 2018 Breach disclosed publicly Marriott discloses the Starwood reservation database compromise. Initial estimate was 500M guests; later revised to about 339M.
2019 MDL 2879 consolidated in D. Maryland Class actions centralized in the District of Maryland for coordinated pretrial proceedings.
Oct 2024 FTC consent order announced Separate from the civil class action, the FTC reached a consent order with Marriott requiring security improvements and a US data-deletion mechanism. The FTC order does not include monetary payments to consumers.
Late 2024 MDL 2879 civil class settles Settlement provides free credit monitoring, identity restoration, reimbursement of documented out-of-pocket losses (up to $5,000), and time-spent reimbursement at $67/hour.
2025 to 2026 Distribution and ongoing administration Claim payments distributed; identity restoration services available to enrolled class members.

Who qualifies

You likely qualify if

You stayed at a Marriott-family hotel (Marriott, Starwood, Sheraton, Westin, W Hotels, St. Regis, Le Méridien) between 2014 and Sept 2018
You can produce a reservation confirmation, loyalty-account record, or credit-card statement showing the stay

Worth checking if

You provided passport information at check-in (additional reimbursement may apply)
You have documented identity-theft or fraud costs since 2018
You have no records of stays but believe you may have been affected

You probably don't qualify if

Your only stays were after Sept 2018
You never stayed at a Marriott-family property in the affected window

Stayed at a Marriott-family hotel between 2014 and 2018?

The civil settlement provides credit monitoring, identity restoration, and reimbursement for documented losses (including passport replacement). The eligibility check above confirms whether you're in the class.

Check eligibility →

What the Marriott settlement provides

Two tracks: the civil class settlement (MDL 2879) and the separate FTC consent order. The FTC order does not include direct consumer payments; the civil settlement does.

Diagnosis or claim type	Projected payout range	What drives the tier
Documented identity-theft loss reimbursement	Up to $5,000	Civil class settlement. Out-of-pocket costs related to identity theft or fraud tied to the breach, with documentation.
Time-spent reimbursement	$67 per hour	Civil class settlement. Compensates time spent remedying the breach, with self-certification for limited hours and supporting docs above the threshold.
Passport replacement reimbursement	Up to $200 (or replacement cost)	For class members whose passport numbers were among the 5+ million unencrypted in the breach.
Free credit monitoring	Multi-year coverage	Provided through the settlement-designated credit-monitoring vendor for the program's duration.
FTC consent order (no consumer payments)	$0 direct payment	The FTC consent order requires security improvements and a data-deletion mechanism but does not include monetary payments to consumers.

Civil settlement figures are as published by the court-appointed administrator. Documented-loss thresholds vary; review the official settlement notice for specifics.

How to access what's available

1

Verify your stays in the affected window

Gather any record of stays between 2014 and Sept 2018 at Marriott, Starwood, Sheraton, Westin, W Hotels, St. Regis, or Le Méridien. Reservation confirmations, loyalty-account records, or credit-card statements all work.
10 to 30 minutes.
2

Check inclusion at the official site

The official settlement administrator's site (marriottdatabreach.com) helps verify class inclusion. The eligibility check above routes you there.
Under 5 minutes.
3

Enroll in free credit monitoring

Class members are eligible for free credit monitoring through the settlement-designated vendor. Enrollment is via the official settlement site.
Free, enrollment under 10 minutes.
4

Submit any documented-loss or passport-replacement claims

Documented identity-theft costs and passport replacement costs can be submitted with supporting records. Check the current claim windows at the official site.
Window timing varies; check the administrator's site for current deadlines.

Important dates for the Marriott settlement

Civil settlement claim windows and credit-monitoring enrollment have specific dates that change over time. The official site is the authoritative source for current windows.

Civil class settlement claim windows: check the official administrator's site for current deadlines.
FTC consent order data-deletion mechanism: open-ended (Marriott must provide US consumers an ongoing way to request data deletion).
If you experience new identity-theft costs tied to the breach, the documented-loss claim window may still be open or may reopen; the official site is the source of truth.
State consumer-protection laws (notably California's CCPA) may provide additional remedies for new harms.

Settlement windows shift. The eligibility check above routes you to the official administrator for current status and any open claim windows.

About the settlement administrator

claimscout is not the settlement administrator and is not a law firm. We route you to the official sources and help you understand what is available.

Official administrator: The court-appointed Marriott settlement administrator. The official site is marriottdatabreach.com.
FTC oversight: The FTC enforces the separate Oct 2024 consent order requiring security and data-deletion compliance.
Free services only: All settlement services are free to affected consumers.
Direct access: You can go directly to the official site without using this page.

claimscout is not affiliated with Marriott, the settlement administrator, the FTC, or any state attorney general's office. We provide informational matching only.

Common questions

Which hotel brands are covered?

Marriott, Starwood, Sheraton, Westin, W Hotels, St. Regis, Le Méridien, Aloft, and the Marriott-owned timeshare and loyalty programs that integrated with the Starwood reservation database.

What was actually exposed?

About 339 million guest records: names, addresses, phone numbers, email addresses, passport numbers (5+ million in unencrypted form), Starwood Preferred Guest account info, dates of birth, and in some cases payment card information.

What if my passport number was in the breach?

If your passport number was exposed and you replaced your passport because of the breach, you can claim passport-replacement reimbursement under the civil settlement.

Why is there both a civil settlement and an FTC consent order?

They are separate proceedings. The civil class action (MDL 2879) is plaintiff-driven and provides money to class members. The FTC consent order is regulator-driven and requires Marriott to fix its security and offer data deletion; it does not include consumer payments.

I stayed at a Marriott in 2020. Am I covered?

No. The breach window for the Starwood reservation database was 2014 through September 2018. Stays after that are outside the class definition.

What if I cannot find old reservation records?

Common, and not necessarily disqualifying. Credit-card statements, frequent-traveler-program records, and email confirmations all help verify inclusion. The administrator's lookup tool is the fastest path.

Can I delete my data from Marriott under the FTC order?

Yes. The Oct 2024 FTC consent order requires Marriott to provide US consumers an ongoing way to request data deletion. Look for the data-deletion request mechanism on Marriott's site or via the FTC's enforcement page.

Is claimscout the official administrator?

No. The official administrator runs marriottdatabreach.com. claimscout is an informational matching service that routes you to the official sources.

What does this cost me?

Nothing. We get paid by the law firms or affiliate fees from the court-appointed administrator. You pay zero up front and zero out of any payout you receive.

Will lawyers spam-call me?

Only if you check the consent box. We give you the choice. If you do not consent, your claim is captured and we route it to the administrator directly without sharing your phone number.

Can I file directly without you?

Yes, always. If we route your claim to a law firm, you can choose to file directly with the same firm or pick a different one. We exist because most people throw the notice letter away. We make it not happen.

Is claimscout a law firm?

No. We are not a law firm and do not provide legal advice. We are a platform that captures your claim, qualifies it, and routes it to the court-appointed administrator or a law firm of your choice.